Platform
nodejs
Component
object-path
Fixed in
0.11.6
0.11.6
CVE-2021-23434 describes a type confusion vulnerability affecting the object-path Node.js package. This flaw allows attackers to bypass a previous vulnerability (CVE-2020-15256) by manipulating path components, potentially leading to unauthorized access or code execution. The vulnerability impacts versions of object-path before 0.11.6, and a patch is available in version 0.11.6.
The core of this vulnerability lies in how object-path handles array-based path components. Specifically, the condition currentPath === 'proto' incorrectly returns false when currentPath is ['proto'] due to type differences. This bypass allows attackers to circumvent security checks designed to prevent access to sensitive properties. Successful exploitation could enable an attacker to read or modify arbitrary properties within the targeted JavaScript object, potentially leading to information disclosure or remote code execution depending on the application's context. The impact is amplified if the object-path package is used in a critical part of an application's data processing pipeline.
CVE-2021-23434 was publicly disclosed on September 1, 2021. There is no indication of active exploitation campaigns targeting this vulnerability at the time of writing. No public proof-of-concept (PoC) code has been released, but the bypass nature of the vulnerability suggests that a PoC could be developed relatively easily. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.39% (60% percentile)
CVSS Vector
The primary mitigation for CVE-2021-23434 is to immediately upgrade the object-path package to version 0.11.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation to ensure that path components are not provided as arrays. While a WAF or proxy cannot directly address this vulnerability, they can be configured to monitor for suspicious patterns in requests that might indicate an attempted exploitation. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for unusual object property access patterns within your application's logs is recommended.
Update the object-path package to version 0.11.6 or higher. This fixes the prototype pollution vulnerability by avoiding type confusion when path components are arrays.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-23434 is a type confusion vulnerability in the object-path Node.js package, allowing bypass of CVE-2020-15256 by manipulating path components as arrays.
You are affected if you are using object-path versions prior to 0.11.6. Check your project dependencies with npm audit object-path.
Upgrade to object-path version 0.11.6 or later. If immediate upgrade is not possible, implement input validation to prevent array-based path components.
There is no current evidence of active exploitation campaigns targeting CVE-2021-23434, but a PoC could be developed.
Refer to the object-path project's repository or related security advisories for the official advisory.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.